From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 29 Oct 2021 08:13:45 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.291~36
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=706a9a166b4dcb37e6ea2db8d2f3f09ce80b6b77;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
	nfc-port100-fix-using-errno-as-command-type-mask.patch
	revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
	usbnet-fix-error-return-code-in-usbnet_probe.patch
	usbnet-sanity-check-for-maxpacket.patch
---

diff --git a/queue-4.9/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch b/queue-4.9/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
new file mode 100644
index 00000000000..3899bd31ae9
--- /dev/null
+++ b/queue-4.9/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
@@ -0,0 +1,38 @@
+From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 22 Oct 2021 09:12:26 +0000
+Subject: ata: sata_mv: Fix the error handling of mv_chip_id()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.
+
+mv_init_host() propagates the value returned by mv_chip_id() which in turn
+gets propagated by mv_pci_init_one() and hits local_pci_probe().
+
+During the process of driver probing, the probe function should return < 0
+for failure, otherwise, the kernel will treat value > 0 as success.
+
+Since this is a bug rather than a recoverable runtime error we should
+use dev_alert() instead of dev_err().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_mv.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -3907,8 +3907,8 @@ static int mv_chip_id(struct ata_host *h
+ 		break;
+ 
+ 	default:
+-		dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
+-		return 1;
++		dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
++		return -EINVAL;
+ 	}
+ 
+ 	hpriv->hp_flags = hp_flags;
diff --git a/queue-4.9/nfc-port100-fix-using-errno-as-command-type-mask.patch b/queue-4.9/nfc-port100-fix-using-errno-as-command-type-mask.patch
new file mode 100644
index 00000000000..ad6fc382296
--- /dev/null
+++ b/queue-4.9/nfc-port100-fix-using-errno-as-command-type-mask.patch
@@ -0,0 +1,43 @@
+From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 25 Oct 2021 16:49:36 +0200
+Subject: nfc: port100: fix using -ERRNO as command type mask
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
+
+During probing, the driver tries to get a list (mask) of supported
+command types in port100_get_command_type_mask() function.  The value
+is u64 and 0 is treated as invalid mask (no commands supported).  The
+function however returns also -ERRNO as u64 which will be interpret as
+valid command mask.
+
+Return 0 on every error case of port100_get_command_type_mask(), so the
+probing will stop.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/port100.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -1011,11 +1011,11 @@ static u64 port100_get_command_type_mask
+ 
+ 	skb = port100_alloc_skb(dev, 0);
+ 	if (!skb)
+-		return -ENOMEM;
++		return 0;
+ 
+ 	resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
+ 	if (IS_ERR(resp))
+-		return PTR_ERR(resp);
++		return 0;
+ 
+ 	if (resp->len < 8)
+ 		mask = 0;
diff --git a/queue-4.9/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-4.9/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
new file mode 100644
index 00000000000..ac92b3b58b3
--- /dev/null
+++ b/queue-4.9/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
@@ -0,0 +1,44 @@
+From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Sep 2021 20:49:42 +0300
+Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.
+
+This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
+
+This patch is correct in the sense that we _should_ call device_put() in
+case of device_register() failure, but the problem in this code is more
+vast.
+
+We need to set bus->state to UNMDIOBUS_REGISTERED before calling
+device_register() to correctly release the device in mdiobus_free().
+This patch prevents us from doing it, since in case of device_register()
+failure put_device() will be called 2 times and it will cause UAF or
+something else.
+
+Also, Reported-by: tag in revered commit was wrong, since syzbot
+reported different leak in same function.
+
+Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
+Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -326,7 +326,6 @@ int __mdiobus_register(struct mii_bus *b
+ 	err = device_register(&bus->dev);
+ 	if (err) {
+ 		pr_err("mii_bus %s failed to register\n", bus->id);
+-		put_device(&bus->dev);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 1a8f01ea38a..41123eb6301 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -3,3 +3,8 @@ arm-9134-1-remove-duplicate-memcpy-definition.patch
 arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
 powerpc-bpf-fix-bpf_mod-when-imm-1.patch
 arm-8819-1-remove-p-from-ldflags.patch
+usbnet-sanity-check-for-maxpacket.patch
+usbnet-fix-error-return-code-in-usbnet_probe.patch
+ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
+nfc-port100-fix-using-errno-as-command-type-mask.patch
+revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
diff --git a/queue-4.9/usbnet-fix-error-return-code-in-usbnet_probe.patch b/queue-4.9/usbnet-fix-error-return-code-in-usbnet_probe.patch
new file mode 100644
index 00000000000..63fb183eb93
--- /dev/null
+++ b/queue-4.9/usbnet-fix-error-return-code-in-usbnet_probe.patch
@@ -0,0 +1,32 @@
+From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Tue, 26 Oct 2021 20:40:15 +0800
+Subject: usbnet: fix error return code in usbnet_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.
+
+Return error code if usb_maxpacket() returns 0 in usbnet_probe()
+
+Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1742,6 +1742,7 @@ usbnet_probe (struct usb_interface *udev
+ 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+ 	if (dev->maxpacket == 0) {
+ 		/* that is a broken device */
++		status = -ENODEV;
+ 		goto out4;
+ 	}
+ 
diff --git a/queue-4.9/usbnet-sanity-check-for-maxpacket.patch b/queue-4.9/usbnet-sanity-check-for-maxpacket.patch
new file mode 100644
index 00000000000..a688df09cdd
--- /dev/null
+++ b/queue-4.9/usbnet-sanity-check-for-maxpacket.patch
@@ -0,0 +1,37 @@
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1740,6 +1740,10 @@ usbnet_probe (struct usb_interface *udev
+ 	if (!dev->rx_urb_size)
+ 		dev->rx_urb_size = dev->hard_mtu;
+ 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++	if (dev->maxpacket == 0) {
++		/* that is a broken device */
++		goto out4;
++	}
+ 
+ 	/* let userspace know we have a random address */
+ 	if (ether_addr_equal(net->dev_addr, node_id))